The information in this document is based on these software and
hardware versions:

Cisco 4400 WLC that runs firmware release 5.0

The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.

WLC software versions before 5.0 do not support the RADIUS server
fallback mechanism. When the primary RADIUS server becomes unavailable, the WLC
will failover to the next active backup RADIUS server. The WLC will continue to
use the secondary RADIUS server forever even if the primary server is
available. Usually the primary server is high performance and the preferred
server.

In WLC 5.0, the WLC supports the RADIUS server fallback feature. With
this feature, the WLC can be configured to check if the primary server is
available and switches back to the primary RADIUS server once it is available.
In order to do this, the WLC supports two new modes, passive and active, to
check the status of the RADIUS server. The WLC comes back to the most
preferable server after the specified timeout value.

In active mode, when a server does not respond to the WLC
authentication request, the WLC marks the server as dead, then moves the server
to non-active server pool and starts sending probe messages periodically until
that server responds. If the server responds, then the WLC moves the dead
server to active pool and stops sending probe messages. In this mode, when an
authentication request comes, the WLC always picks the lowest index (highest
priority) server from the active pool of RADIUS servers.

The WLC sends a probe packet after timeout (default 300 sec) to
determine server status in case the server was unresponsive earlier.

In passive mode, if a server does not respond to the WLC authentication
request, the WLC moves the server to inactive queue and sets a timer. When the
timer expires, the WLC moves the server to active queue irrespective of the
server’s actual status. When an authentication request comes, the WLC picks the
lowest index (highest priority) server from the active queue (which might
include the non-active server). If the server does not respond, then the WLC
marks it as inactive, sets the timer and moves to the next highest priority
server. This process continues until the WLC finds an active RADIUS server, or
the active server pool is exhausted.

The WLC assumes the server is active after timeout (default 300 sec) in
case the server was unresponsive earlier. If it is still unresponsive, the WLC
waits for another timeout and tries again when an authentication request comes
in.

In off mode, the WLC supports failover only. In other words, fallback
is disabled. When the primary RADIUS server goes down, the WLC will failover to
the next active backup RADIUS server. The WLC will continue using the secondary
RADIUS server forever even if the primary server is available.

Use the following commands from the WLC CLI to enable the RADIUS server
fallback feature on the WLC.

The first step is to select the mode of RADIUS server fallback. As
mentioned earlier, the WLC supports active and passive modes of
fallback.

In order to select the mode of fallback, use this command:

WLC1 > config radius fallback-test mode {active/passive/off}

active—Sends probes to dead servers to test
status.

passive—Sets server status based on last
transaction.

off—Disables server fallback test
(default).

The next step is to select the interval which specifies the probe
interval for active mode or the inactive time for the passive modes of
operation.

In order to set the interval, use this command:

WLC1 > config radius fallback-test mode interval {180 - 3600}

<180 to 3600>—Enter probe interval or
inactive time in seconds (default 300).

The interval specifies the probe interval in the case of active mode
fallback or inactive time in the case of passive mode fallback.

For active mode of operation, you need to configure a username which
will be used in the probe request sent to the RADIUS server.

In order to configure the username, use this command:

WLC1 >config radius fallback-test username {username}

<username>—Enter name up to 16 alphanumeric
characters (default "cisco-probe").

Note: You can enter your own username or leave it with the default. The
default username is “cisco-probe”. Because this username is used to send probe
messages, you do not need to configure any password.